Author Archives: wpscanteam

For the past few weeks we have been busy working on new features and improvements to our WordPress Vulnerability Database, which went live today.

Even though the whole world is going through difficult times right now, we are still here adding vulnerabilities to our databases and improving our services.

So, what do we have for you!

More

WordPress Plugin Vulnerabilities

• LifterLMS < 3.37.15 – Arbitrary File Writing
• WordPress SEO Plugin – Rank Math < 1.0.41 – Redirect Creation via Unprotected REST API Endpoint
• WordPress SEO Plugin – Rank Math < 1.0.41 – Privilege Escalation via Unprotected REST API Endpoint
• Elementor Page Builder < 2.9.6 – Authenticated Safe Mode Privilege Escalation
• CM Pop-Up banners < 1.4.11 – Authenticated Stored XSS
• IMPress for IDX Broker < 2.6.2 – Authenticated Post Creation, Modification, and Deletion
• IMPress for IDX Broker < 2.6.2 – Authenticated Stored Cross-Site Scripting (XSS) via unprotected ‘idx_update_recaptcha_key’ AJAX
• All-in-One WP Migration < 7.15 – Arbitrary Backup Download
• Product Lister for Walmart <= 1.0.0 – Unauthenticated RCE via Outdated PHPUnit
• Multiple plugins – Unauthenticated Dompdf Local File Inclusion (LFI)
• Data Tables Generator By Supsystic < 1.9.92 – CSRF to Stored XSS, Data Table Creations, Settings Modification
• Data Tables Generator By Supsystic < 1.9.92 – Authenticated Stored XSS
• Data Tables Generator By Supsystic < 1.9.92 – Insecure Permissions on AJAX Actions
• Cookiebot < 3.6.1 – Authenticated Reflected Cross-Site Scripting (XSS)
• WPvivid Backup < 0.9.36 – Missing Authorization Leading To Database Leak
• Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 – Unprotected AJAX Endpoints
• Advanced Ads < 1.17.4 – Authenticated Reflected XSS via Admin Dashboard
• Custom Post Type UI < 1.7.4 – CSRF to Stored XSS
• Newsletter < 6.5.4 – CSV Injection
• LearnPress < 3.2.6.7 – Privilege Escalation
• WordPress File Upload < 4.13.0 – Directory Traversal to RCE
• Popup Builder < 3.64.1 – Multiple Issues
• Multiple WebToffee Plugins – Cross-Site Request Forgery (CSRF) Issue
• Import Export WordPress Users < 1.3.9 – Authenticated Arbitrary User Creation
• Search Meter <= 2.13.2 – CSV Injection
• MStore API < 2.1.6 – Unauthenticated Arbitrary Account Creation/Edition
• Font Awesome 4.0.0-RC15 & RC16 – API Token & Access Token Disclosure
• WPML < 4.3.7 – Authenticated Cross Site Request Forgery leading to Remote Code Execution
• WP Security Audit Log < 4.0.2 – Broken Access Control in First-Time Install Wizard
• Custom Searchable Data Entry System <= 1.7.1 – Unauthenticated Data Modification and Deletion (0-day, being exploited)
• RegistrationMagic – Custom Registration Forms and User Login < 4.6.0.4 – Multiple Critical Issues
• WP Advanced Search < 3.3.4 – Unauthenticated Database Access and Remote Code Execution (RCE)
• WPForms < 1.5.9 – Authenticated Cross Site Scripting (XSS)
• Brizy – Page Builder < 1.0.114 – Unauthenticated Site Settings Update
• Appointment Booking Calendar < 1.3.35 – CSV Injection
• Appointment Booking Calendar < 1.3.35 – Authenticated Stored Cross-Site Scripting (XSS)
• WooCommerce Smart Coupons < 4.6.5 – Unauthenticated Coupon Creation
• Testimonial < 2.1.7 – Authenticated Stored Cross-Site Scripting (XSS)

More

From today all Enterprise users have access to Slack Incoming Webhook Notifications functionality.

The new notifications allow Enterprise users to set a Slack Incoming Webhook URL within their profile page that will send a Slack notification with the vulnerability title and URL every time a new vulnerability is added to our database.

More

While checking fixes of critical issues in a premium plugin, we stumbled across an insufficient filename entropy where the PHP function time() was used to generate a part of the md5 hashed string to form the filename. These files generally contain sensitive data, such as log, PII etc and as it’s not the first we see such a mistake, we though it would be a good idea to make a post out of it.More

WordPress Plugin Vulnerabilities

• wpdefault – Backdoor Plugin
• Async Javascript < 2.20.02.27 – Subscriber+ Stored XSS via Plugin Settings Change
• 10Web Map Builder for Google Maps < 1.0.64 – Unauthenticated Stored XSS via Plugin Settings Change
• Modern Events Calendar Lite <= 5.1.6 – Multiple Subscriber+ Stored XSS
• Export Users to CSV <= 1.4.2 – CSV Injection
• Photo Gallery < 1.5.46 – Multiple Cross-Site Scripting (XSS) Issues
• Envira Photo Gallery < 1.7.7 – Authenticated Stored Cross-Site Scripting (XSS) Issue
• Pricing Table by Supsystic < 1.8.2 – Insecure Permissions on AJAX Actions
• Pricing Table by Supsystic < 1.8.2 – Unauthenticated Stored XSS
• Pricing Table by Supsystic < 1.8.1 – Cross-Site Request Forgery to XSS and Setting Changes
• Flexible Checkout Fields for WooCommerce < 2.3.2 – Unauthenticated Settings Update
• Hero Maps Premium < 2.2.3 – Unauthenticated Reflected Cross-Site Scripting (XSS)
• Ultimate Membership Pro < 8.6.2 – Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy
• Ultimate Membership Pro < 8.7 – Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation
• CardGate < 3.1.16 – Unauthorised Payments Hijacking and Order Status Spoofing
• Chained Quiz < 1.1.9.1 – Authenticated Stored XSS
• Modula Image Gallery < 2.2.5 – Authenticated Stored Cross-Site Scripting (XSS)
• Duplicator 1.3.24 & 1.3.26 – Unauthenticated Arbitrary File Download
• Easy Property Listings < 3.4 – Cross-Site Request Forgery (CSRF)
• ThemeREX Addons – Remote Code Execution (0day, Being Exploited)
• wpCentral < 1.5.1 – Improper Access Control to Privilege Escalation
• ThemeGrill Demo Importer < 1.6.3 – Auth Bypass & Database Wipe
• Popup Builder < 3.0 – SQL injection via PHP Deserialization
• GDPR Cookie Consent < 1.8.3 – Improper Access Controls
• Profile Builder and Profile Builder Pro < 3.1.1 – User Registration With Administrator Role
• Participants Database < 1.9.5.6 – Authenticated Time Based SQL Injection
• Ultimate Membership Pro < 8.6.1 – Multiple Critical Vulnerabilities
• Events Manager < 5.9.7.2 – CSV Injection
• Events Manager Pro < 2.6.7.2 – CSV Injection
• Tutor LMS < 1.5.3 – Cross-Site Request Forgery (CSRF)
• Ninja Forms < 3.4.23 – CSRF to Stored Cross-Site Scripting (XSS) Issues
• Strong Testimonials < 2.40.1 – Stored Cross Site Scripting (XSS)
• Htaccess by BestWebSoft <= 1.8.1 – CSRF to edit .htaccess

More

From today we have two new fields output in our API for enterprise users, the description and poc fields.

We have been displaying this data on the wpvulndb.com website since almost the beginning of the project, but excluded the data from the API due to concerns of the extra bandwidth costs.

We have had a number of users request the data be output within the API over the years, and quite a few recently.

More

On March 2nd 2020 we will be introducing paid vulnerability email alerts for instant and daily emails.

Traditionally we have been giving these away free of charge to our users, but the number of subscribers has increased steadily over the years and they are starting to become a significant monthly cost to us.

More

WordPress Plugin Vulnerabilities

• Strong Testimonials < 2.40.1 – Stored Cross Site Scripting (XSS)
• GistPress < 3.0.2 – Authenticated Stored XSS
• Code Snippets < 2.14.0 – CSRF to RCE
• Elementor Page Builder < 2.8.5 – Authenticated Reflected XSS
• Elementor Page Builder < 2.7.6 – Authenticated Stored XSS
• WPS Hide Login < 1.5.5 – Secret Login Page Disclosure
• WP DS FAQ Plus < 1.4.2 – Stored Cross-Site Scripting (XSS)
• wpCentral < 1.4.8 – Privilege Escalation
• Contact Form Clean and Simple <= 4.7.0 – Authenticated Stored XSS
• Calculated Fields Form < 1.0.354 – Authenticated Stored XSS
• Chatbot with IBM Watson < 0.8.21 – DOM Cross-Site Scripting (XSS)
• AccessAlly < 3.3.2 – Arbitrary PHP Execution
• 2J SlideShow < 1.3.40 – Authenticated Arbitrary Plugin Deactivation
• Batch-Move Posts <= 1.5 – Broken Authentication leading to Unauthenticated Stored XSS
• Contextual Adminbar Color < 0.3 – Authenticated Stored Cross-Site Scripting Issue
• Marketo Forms and Tracking <= 1.0.2 – CSRF to XSS
• WP Database Reset < 3.15 – Unauthenticated Database Reset
• WP Database Reset < 3.15 – Privilege Escalation
• Chained Quiz < 1.1.8.2 – Unauthenticated Reflected XSS
• Resim Ara <= 3.0 – Unauthenticated Reflected XSS
• LearnDash < 3.1.2 – Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.
• Flamingo < 2.1.1 – CSV Injection
• Backup and Staging by WP Time Capsule < 1.21.16 – Authentication Bypass
• InfiniteWP Client < 1.9.4.5 – Authentication Bypass
• Computer Repair Shop < 2.0 – Authenticated Stored XSS
• Ultimate Member < 2.1.3 – Insecure Direct Object Reference (IDOR)
• Video on Admin Dashboard < 1.1.4 – Authenticated Stored XSS
• WooCommerce – Store Exporter < 2.4 – CSV Injection
• Minimal Coming Soon & Maintenance Mode < 2.15 – CSRF to Stored XSS and Setting Changes
• Minimal Coming Soon & Maintenance Mode < 2.15 – Insecure Permissions: Enable and Disable Maintenance Mode
• Minimal Coming Soon & Maintenance Mode < 2.17 – Insecure permissions: Export Settings/Theme Change
• WP Simple Spreadsheet Fetcher For Google < 0.3.7 – Arbitrary API Key update via CSRF
• Ultimate FAQ < 1.8.30 – Unauthenticated Reflected XSS
• WooCommerce Conversion Tracking < 2.0.5 – CSRF to XSS
• ElegantThemes (divi, extra, divi-builder < 4.0.10) – Authenticated Code Injection
• Postie <= 1.9.40 – Post Submission Spoofing & Stored XSS
• Import Users From CSV with Meta 1.15 – Unauthorised Authenticated Users Export

More

We’re happy to announce that WPScan’s CLI JSON output can now be seamlessly imported into the Dradis Framework!

More

We have just launched a new feature on our WordPress Vulnerability Database that will allow Enterprise API users to configure a Webhook that will be triggered every time a new vulnerability is added to our database.

This has been a much requested feature by our Enterprise users and we are happy to be able to supply a solution.

More